Bytium®
Security-first

Privacy Notice

Last updated: April 12, 2026

This notice explains how Bytium ("Bytium", "we") handles personal data on our public website, the Bytium Platform (app.bytium.com), and through our security scanning services. We process only what is necessary to provide our services, secure our systems, and comply with our obligations.

What we collect

Public website

  • Contact details and context you submit (name, email, company, security needs).
  • Consent choices for cookies and marketing communications.
  • Minimal technical data (IP address, user agent, timestamps) for security and abuse prevention.

Platform and account

  • Account data from OAuth providers (Google, GitHub): name, email address, provider account ID. We do not store OAuth access tokens or passwords.
  • Organization data you provide: organization name, domains, and asset configurations.
  • Authentication and activity logs: login timestamps, IP addresses, user agents, and actions performed.
  • Role and permission data for access control.

Security scanning (Bytium Active)

  • Domains, subdomains, and IP addresses you configure for monitoring.
  • Scan results: vulnerability findings, risk assessments, port scan data, DNS records, TLS certificate information, and web application analysis.
  • AI-generated summaries and remediation recommendations based on scan findings.
  • Evidence and proof files generated during scanning.
  • Discovered subdomains and services found during enumeration.

Billing

  • Subscription plan and billing cycle information.
  • Payment processing is handled by Stripe. We store your Stripe customer ID but not credit card numbers or bank details.
  • Invoice records and payment history.

Cookies

  • Essential cookies for session management and security (authentication tokens, OAuth state, CSRF protection).
  • Non-essential analytics cookies only if you consent via the banner.

Why we process data

  • Service delivery (contract): operate the Platform, execute security scans, generate reports, and manage your subscription.
  • Security and abuse prevention (legitimate interest): authentication, rate limiting, nonce replay prevention, IP allowlisting, audit logging, and webhook signature verification.
  • Communication (contract/legitimate interest): transactional emails (welcome, subscription confirmation, payment alerts, cancellation notices), and service-related notifications.
  • Analytics (consent): understand site and Platform usage to improve the experience (non-essential, opt-in).
  • Legal and compliance (legal obligation): maintain records required by law, respond to legal requests, and establish or defend legal claims.

Sharing and processors

We do not sell personal data. We use trusted processors for:

  • Hosting and infrastructure: cloud providers for Platform hosting and data storage.
  • Payment processing: Stripe for subscription billing and payment management.
  • Email delivery: AWS SES or equivalent SMTP provider for transactional emails.
  • Authentication: Google and GitHub for OAuth sign-in (your data remains with the identity provider).

All processors act under our instructions and agreements that include data protection terms. Scan results and vulnerability findings are treated as confidential and are never shared with other customers or third parties.

Retention

  • Public inquiries: kept for up to 12-24 months after the last interaction.
  • Account and platform data: retained while your account is active. Upon cancellation, data is retained for the period specified by your plan (30 days for Starter, 90 days for Professional, 1 year for Enterprise), then deleted.
  • Scan results and findings: retained according to your plan's retention period. You may request earlier deletion.
  • Audit and authentication logs: retained for 90-180 days for security and compliance purposes.
  • Billing records: retained as required by applicable tax and accounting law (typically 7 years).

International transfers

We provide services globally (including the EU/EEA, US, and other regions). If personal data is processed outside your region, we use appropriate safeguards — such as Standard Contractual Clauses (SCCs) or equivalent protections — where required by law.

Your rights

Where applicable under GDPR or similar data protection laws, you have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate data.
  • Erasure: request deletion of your data (subject to legal retention requirements).
  • Restriction: limit how we process your data.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: revoke consent for non-essential processing at any time.

To exercise your rights, contact us at the details below. We respond within the timeframes required by applicable law (typically 30 days).

Data security

We implement technical and organizational measures to protect your data, including: HMAC-signed data pipelines with nonce replay prevention, bcrypt password hashing, JWT session tokens with httpOnly cookies, IP allowlisting, rate limiting, and audit logging. Scan data is encrypted in transit (TLS) and at rest.

Contact

Privacy inquiries and data requests: [email protected] or submit a privacy request.

Updates

We may update this notice. Material changes will be communicated via email or through the Platform. The "last updated" date reflects the latest version.